pam_roles(7)

Name

pam_roles - Solaris Roles account management module

Synopsis

pam_roles.so.1

Description

The pam_roles module implements pam_sm_acct_mgmt(3PAM). It provides functionality to verify that a user is authorized to
assume a role. It also prevents direct logins to a role. The user_attr(5) database is used to determine which users can assume which roles.

The PAM items PAM_USER and PAM_AUSER, and PAM_RHOST are used to determine the outcome of this module. PAM_USER represents the new identity being verified. PAM_AUSER, if set,
represents the user asserting a new identity. If PAM_AUSER is not set, the real user ID of the calling service implies that the user is asserting a new identity. Notice that root can never have roles.

Errors

The following values are returned:

PAM_IGNORE

If the type of the new user identity (PAM_USER) is “normal”. Or, if the type of the new user identity is “role” and the user asserting the new identity (PAM_AUSER) has the new identity
name in its list of roles.

PAM_USER_UNKNOWN

No account is present for user.

PAM_PERM_DENIED

If the type of the new user identity (PAM_USER) is “role” and the user asserting the new identity (PAM_AUSER) does not have the new identity name in its list of roles.

Examples

Example 1 Using the pam_roles.so.1 Module

The following example is a pam.conf(5) fragment that demonstrates the use of the pam_roles.so.1 module:

The cron service does not invoke pam_roles.so.1. Delayed jobs are independent of role assumption. All other services verify that roles cannot directly login. The “su” service (covered by the “other”
service entry) verifies that if the new user is a role, the calling user is authorized for that role.

Example 2 Allowing Remote Roles

Remote roles should only be allowed from remote services that can be trusted to provide an accurate PAM_AUSER name. This trust is a function of the protocol (such as sshd-hostbased).

The following example is a pam.conf(5) fragment that demonstrates the use of pam_roles configuration for remote roles for the sshd-hostbased
service.